Forum Discussion
CirrusServer side profile handshake fails
Handshake between siebel web server and F5 virtual server fails when i attach the server side profile with VS and server set to https port. Although they have configured webserver this way that it does not authenticate the client(F5). If i try to directly web server it works through https. But when i send through F5. client side handshake is successful but server side handshake fails while default server side profile is attach because server is no authenticating so F5 do no require any certificate then why handshake is failing?
15 Replies
shaggyNimbostratus
it could be a number of reasons - i would first try using the serverssl-insecure-compatible server-ssl profile to see if the additional allowed ciphers resolve the issue.
try capturing the server-side SSL handshake with tcpdump to see where in the handshake process the failure occurs
nolipinedaAltostratus
Agree with shaggy. A colleague of mine had this same issue and I reconfigured the vs to use insecure profile to begin with. Turns out server supported legacy cipher that's not included in the default serverssl profile.
Muhammad_Irfan1i will try this today. I have the tcpdump, can you explain it to me. Server ip is 10.50.169.31 and F5 LTM automap ip is 10.50.169.1(floating IP, actual VS is 10.50.171.5:4443)
- Muhammad_Irfan1Ahh i can not upload the image, devcentral is not allowing me. There are 10 packets. if you have email i can send you. Please
- Muhammad_Irfan1All the packets are sync and ack. There is not hello client or hello server packet which i assume that the process doesn't even starts between F5 and server. I will try inscure ssl server profile today. Thanks
- nolipineda
Server side comms is between F5 and the back end server. What is the IP of back end server? Are they on the same Vlan? If not, does your F5 device have a route to server's network segment?
Sorry to bombard with more questions but can't help without these details.
- nolipineda
Try connecting from the BIG-IP cli interface using this
openssl s_client -connect servername:443
The output should give you an idea why it's failing.
You can also find more debugging option here: https://www.openssl.org/docs/apps/s_client.html
- nolipineda
serverssl-insecure-compatible profile should be sufficient:
SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA
It could be something else. AutoMap uses the configured Self-IP. You may want to assign a SNAT pool for your VS instead of AutoMap.
- Muhammad_Irfan1
The problem is solved by putting the cipher of the server certificate in ciphers.
- Mako_57069
Can you please explain exactly what you did? I am having this same problem.
- Muhammad_Irfan1Your server side connection is failing? First of All make a new profile and serverssl-insecure compatible as parent profile. In Cipher portion check it and add this string in it. DES-CBC3-SHA:!TLSv1_1:!SSLv3:!TLSv1_2:!DTLSv1 Hopefully this will work.
- Mako_57069
OK the weblogic admin is trying to create a self signed cert but is obviously making it use SSLV3.
I created a profile serverssl-super-weak with SSLV3 as the cipher and it worked.
Not sure what to tell them to change when creating the cert.
- Muhammad_Irfan1Thats good to hear the thing is running now :) The cert currently in use if of by default? In my case even for another cert i had to keep that cipher string otherwise handshake was failing. So i guess its something remains the same with web server and not changes with cert. This will work with all their certs.
- shaggyIt's probably the SSL stack on the weblogic server and not the actual cert causing the issue
- Mako_57069
Yes that is correct. I have similar configurations working for 50+ servers. This is the first time I have had this problem. I'm just wondering what the fix is on the weblogic side.
